[PATCH 1/2] Fixed spelling errors.
by Michele Newman
---
RHEL6/input/auxiliary/alt-titles-stig.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml
index 9805185..13808dd 100644
--- a/RHEL6/input/auxiliary/alt-titles-stig.xml
+++ b/RHEL6/input/auxiliary/alt-titles-stig.xml
@@ -450,7 +450,7 @@ The audit system must be configured to audit user deletions of files and program
The audit system must be configured to audit changes to the "/etc/sudoers" file.
</title>
<title rule="audit_kernel_module_loading" shorttitle="Ensure auditd Collects Information on Kernel Module Loading and Unloading">
-The audit system must be configured to audit the loading and unloading of dynmaic kernel modules.
+The audit system must be configured to audit the loading and unloading of dynamic kernel modules.
</title>
<title rule="disable_xinetd" shorttitle="Disable xinetd Service">
The xinetd service must be disabled if no network services utilizing it are enabled.
@@ -489,7 +489,7 @@ The ypbind service must not be running.
The TFTP service must not be running.
</title>
<title rule="uninstall_tftp-server" shorttitle="Uninstall tftp-server Package">
-The tftp-servicer package must not be installed.
+The tftp-server package must not be installed.
</title>
<title rule="tftpd_uses_secure_mode" shorttitle="Ensure tftp Daemon Uses Secure Mode">
The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
--
1.8.0
11 years, 5 months
NTP server(s)
by Gary Gapinski
Dunno if this is worth a change or not, but the gentleman from Raytheon
mentioned that the older STIG recommended several NTP servers.
Having been burned personally by a shady NTP server, as well as a shady
local oscillator, best practice might be 3+ (to ensure quorum).
The current content (V-150) only requires that NTP be enabled (a very
good thing) and that there is at least one server. (better than none).
11 years, 5 months
Banner from low to ??
by Michele Newman
Here are the rule references for banner, what severity should they be set to?
services/ftp.xml:106:<Rule id="ftp_present_banner">
services/mail.xml:259:<Rule id="postfix_server_banner">
services/ssh.xml:296:<Rule id="sshd_enable_warning_banner">
system/accounts/banners.xml:38:<Rule id="set_system_login_banner">
system/accounts/banners.xml:95:<Rule id="enable_gdm_login_banner">
system/accounts/banners.xml:121:<Rule id="set_gdm_login_banner_text">
======================================================
Michele Newman RHCE, RHCVA (Sr. Consultant)
Email: mnewman(a)redhat.com Cell: 410.499.6177
Red Hat Consulting http://www.redhat.com/consulting
======================================================
Red Hat, Inc. | 1801 Varsity Dr | Raleigh, NC | 27606
11 years, 5 months
[PATCH 0/2] added alt titles and rationale
by David Smith
added alternate titles to the items recently included in the STIG server profile
David Smith (2):
added alternate titles
added rationale
RHEL6/input/auxiliary/alt-titles-stig.xml | 42 ++++++++++++++++++++++++++--
RHEL6/input/system/permissions/files.xml | 14 +++++-----
2 files changed, 46 insertions(+), 10 deletions(-)
11 years, 5 months
[PATCH 0/4] overdue sync between CCI refs and STIG profile
by Jeffrey Blank
A few items noted as missing have been added to the STIG profile.
To prevent such oversights in the future, there now exist tools to ensure that
all Rules with CCI references are included in the STIG profile (or rather,
developers can easily note any that are not, and act accordingly).
This can be done by the new Makerule "make submission-stig-check".
A few Rules currently bear CCI references, but which had been
indicated not to be included. I believe that liberating
these Rules of the CCI reference will not decrease satisfaction
of the OS SRG, though such changes will be reflected in the SRG
mapping. I will leave it to other to decide how to adjust.
Jeffrey Blank (4):
added new Makerule to activate checking Profiles for reference
inclusion
added Rules w/CCI to STIG profile after running script
removed some CCI references from best-practice base service
disablement Rules
renamed a Rule, removed redundant CCI ref
11 years, 5 months
RPM verification/file permission question
by Robert Sanders
I raised a question on the call earlier noticing the absence of any ACL related checks in the RHEL6 STIG compared to the RHEL5 STIG. Someone (Shawn? - apologies if incorrect) that RPM would ensure correct settings. I was thinking about this afterward and wondered if there should be a line item requiring a periodic 'have rpm verify all installed packages' check. While RPM will make sure that things are setup correctly, I didn't see any checks to see if a change had been made to ACLs after the fact. AIDE might pick up on this also, but I've never used it so I don't know.
Sincerely,
Rob Sanders
===========================
Rob Sanders
Sr. Secure Systems Engineer
Raytheon Trusted Computer Solutions
12950 Worldgate Drive, Suite 600
Herndon, Virginia 20170
Security Blanket Support: 1-866-230-1317
Security Blanket Email: SecurityBlanket(a)TrustedCS.com
Office: 703-896-4762
Fax: 703-318-5041
Email: RSanders(a)TrustedCS.com
11 years, 5 months
[PATCH 0/2] some QA and text changes
by David Smith
To reflect the reality of UEFI installations, instructions pointing to "/boot/grub/grub.conf" were changed to "/etc/grub.conf".
David Smith (2):
additional QA work
changed text to /etc/grub.conf
RHEL6/input/services/nfs.xml | 4 +++
RHEL6/input/services/xorg.xml | 2 +
RHEL6/input/system/accounts/physical.xml | 32 +++++++++++++++---------------
RHEL6/input/system/network/wireless.xml | 3 ++
4 files changed, 25 insertions(+), 16 deletions(-)
11 years, 5 months
[PATCH 0/2] quick fixes
by Jeffrey Blank
for RPM verify and validation
Jeffrey Blank (2):
quick fixes to severity placement (for validation)
added RPM verify back in -- oops!
RHEL6/input/profiles/STIG-server.xml | 2 ++
RHEL6/input/profiles/common.xml | 1 -
RHEL6/input/system/accounts/pam.xml | 2 +-
RHEL6/input/system/accounts/physical.xml | 2 +-
.../accounts/restrictions/password_expiration.xml | 2 +-
RHEL6/input/system/network/kernel.xml | 2 +-
6 files changed, 6 insertions(+), 5 deletions(-)
11 years, 5 months
[PATCH 1/4] Changed banner severity from low to medium, same as RHEL 5 STIG.
by Michele Newman
---
RHEL6/input/system/accounts/banners.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/system/accounts/banners.xml b/RHEL6/input/system/accounts/banners.xml
index 67e7928..eaef2ae 100644
--- a/RHEL6/input/system/accounts/banners.xml
+++ b/RHEL6/input/system/accounts/banners.xml
@@ -35,7 +35,7 @@ be expressed by the '\n' character.</description>
<value selector="dod_short">I've read & consent to terms in IS user agreem't.</value>
</Value>
-<Rule id="set_system_login_banner">
+<Rule id="set_system_login_banner" severity="medium">
<title>Modify the System Login Banner</title>
<description>
To configure the system login banner:
@@ -92,7 +92,7 @@ The following sections describe how to configure the GDM login
banner.
</description>
-<Rule id="enable_gdm_login_banner">
+<Rule id="enable_gdm_login_banner" severity="medium">
<title>Enable GUI Warning Banner</title>
<description>
To enable displaying a login warning banner in the GNOME
@@ -118,7 +118,7 @@ reinforces policy awareness during the logon process.
<ref nist="AC-3, CM-6, AC-8" disa="48,50" />
</Rule>
-<Rule id="set_gdm_login_banner_text">
+<Rule id="set_gdm_login_banner_text" severity="medium">
<title>Set GUI Warning Banner Text</title>
<description>
To set the text shown by the GNOME Display Manager
--
1.8.0
11 years, 5 months
draft notes & actions from 25-OCT DoD call
by Shawn Wells
Here are the notes that Michele and I took during the call. Before I
send to a wider list (gov-sec, mil-oss, etc) what'd I forget? Also using
this list to generate action items.
Procedural Next Steps:
(1) Flurry of activity today to finalize severity ratings, services, etc.
(2) Shawn to generate a "STIG Informal Draft RC1" RPM. Perhaps using a
more clever name.
(3) DISA FSO to publicly publish a "Informal Draft" by 7-NOV. This draft
will include prose only -- no automation.
(4) DISA FSO to publicly publish a "Formal Draft" by 26-DEC. Still no
automation.
(5) Public comment period on "Formal Draft" ends on 17-DEC
(6) Once comments are included/requirements formalized by DISA FSO, OVAL
content review begins 9-JAN
(7) DSAWG (sp?) review 12/13-FEB
(8) Delivery of OVAL to government in April
(9) Final RHEL6 STIG, including automation, ~20-MAY-2013
Required changes based on 25-OCT DoD Consensus Call:
(1) Need to remove notes about network services.
(2) Change banner severity to medium. Strong feedback from DoD community
this must be medium for legal requirements
(3) SELinux should never be disabled, but permissive could be OK. Need
to update wording. Need to include prose around how to disable specific
enforcement types to allow SELinux to remain enforcing while unenforcing
select apps.
(4) Re-enforce RHEL6 STIG should not mandate a host security tool.
Double check wording AND OVAL of existing content
(5) GEN 1780 still applies? Need decision
(6) System Security Daemon content
(7) Add OVAL check for recursive filesystem walks to only check local
filesystems, otherwise locks machine. Michele thinks xdev will do the trick.
(8) Remove the V-7 check or add language somehow indicating it's OK to
run RHNSD when connecting to Satellite
(9) Add content for RHSM, Red Hat Subscription Manager
(10) OVAL content broke for " fixing keeping system up2date"
(11) Create table that lists STIG items that do not have OVAL check
(12)
11 years, 5 months
